I guess many information security specialists make one fatal mistake when speaking to their management: they assume their executives understand the basics of information security. (Unfortunately, sometimes I’m not an exception to that rule, either.)
Therefore, I think we should figure out how to explain to our CEOs the way information security works, i.e., give them some clear implementation structure that is easy to understand and that has business aspects incorporated into it. Actually, I did such an exercise, and came up with these 9 steps that I explain in detail in my free eBook 9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual:
Step #1 – Explore the legislation and other requirements. I think this is the best step for managers to start thinking about information security, because there are more and more laws and regulations with which companies are required to comply, and compliance is very often the best primer for these kinds of projects. Furthermore, there are various contractual obligations like Service Level Agreements (SLAs), and it could be extremely expensive to lose a client because of non-compliance.
Step #2 – Define the benefits & get support from top management. Even though a CEO or some other top executive might understand the need for compliance, other members of top management probably won’t buy into this idea – this is why it is important to find some other benefits for implementing information security. I usually recommend thinking about four types of benefits: compliance, marketing, lowering costs, and optimizing business processes. (For details of these four see this article: Four key benefits of ISO 27001 implementation.)
Step # 3 – Setting the cybersecurity objectives. Management always want to know what will they get if they make an investment – this is why clear information security objectives are of critical importance. Not only will they give a clear vision of what should be achieved, but also clear and measurable objectives will give the basis for determining if such goals were actually reached.
Step #4 – Choose the framework for cybersecurity implementation. If you’re already dealing with information security, than you know how things can get complicated. Now imagine how it is for someone whose primary job is the Profit & Loss statement (and who doesn’t understand what the purpose of a firewall is). This is why it is best to use some of the leading standards/frameworks – e.g., ISO 27001, COBIT, PCI DSS, NIST SP 800 publications, etc. – which explain not only how information security is to be implemented, but also what everyone’s role should be in such implementation.
Step #5 – Organizing the implementation. No, information security cannot be implemented by one man only, and no – this is not only an IT job. This is something top managers need to understand before the implementation starts. So, the best way to implement information security is by treating it as a company-wide project – with project manager, sponsor, clear deliverables and deadlines, etc.
Step #6 – Risk Assessment & mitigation. Actually, information security shouldn’t be a game of guessing, but a game of systematic research into the deficiencies in a company’s system, and making educated decisions about best course of action for treating them. It is very important that managers understand that risk management has a central place in information security management, because this is where the priorities will come from. (See also ISO 27001 risk assessment & treatment – 6 basic steps.)
Step #7 – Implementation of safeguards. Once the risk assessment and treatment is finished, it should be clear which kind of security controls should be implemented. Usually, managers are surprised by the fact that for the most part, it is not the technology that needs to be changed, but the human behavior. This is due to the fact that most of the problems exist because people do not know how to use the technology in a secure way – and the solution to this is setting clear policies and procedures.
Step #8 – Training & awareness. Who wouldn’t be angry at some new security rule that slows down the business process? This is where management has to play a key role – first, they have to understand the importance of such rules themselves; second, they have to make sure everyone in the organization understands them, too. Otherwise, the whole information security effort will become a subject of mockery, instead being a subject of everyday life.
(Step #9) – Cybersecurity is a never-ending story. Managing sales or finances never stops, does it? Well, managers need to understand that managing information security is similar – the fact that you have finished your project, or that you got an ISO 27001 certificate, doesn’t mean that you can leave it all behind. If you want your information security to work, you can never stop taking care of it – the same way you take care of your sales on a daily basis.
The fact is, it would be very difficult to leave out any of these steps – otherwise, the whole information security effort would probably fail. This is why information security professionals shouldn’t be working with their firewalls and anti-viruses only – they should also work with their managers to understand each and every one of these steps.
Click here to download free eBook 9 Steps to Cybersecurity: The Manager’s Information Security Strategy Manual.